disable
disable [auth | bclient | calibrate | kernel | monitor | ntp | pps | stats]
Provides a way to enable or disable various system options. Flags not mentioned are unaffected. Note that most of these flags can be modified remotely using ntpq utility program's :config and config-from-file commands.
...
monitor
Enables the monitoring facility. See the ntpq program and the monstats and mrulist commands, as well as the Access Control Options for details. The monitoring facility is also enabled by the presence of limited in any restrict commands. The default for this flag is enable.

Quote:

restrict address [mask mask] [flag][...]
The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the address is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. restrict default, with no mask option, modifies both IPv4 and IPv6 default entries. restrict source configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.
Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following

....
noquery
Deny ntpq and ntpdc queries. Time service is not affected.

I have recently completed a couple of security scans on our in-house GPS referenced NTP network time server and all reported that we should update to NTP 4.2.7 in order to solve the DRDoS amplification attack using ntpdc monlist command issue. However, I have noticed that the latest production version of NTP is 4.2.6 and that NTP 4.2.7 is only a development version. I feel uncomfortable with updating to a development version of NTP - has anyone else had similar issues ? We're using a GPS NTP Server from TimeTools.